When a computer connects to an access point, it generally stores the details of that connection locally. The next time the computer is turned on, the wireless network card immediately looks for the connection and re-establishes the connection – without user intervention.
This is accomplished by sending out a probe request into the airwaves with the SSID of the requested access point contained in the packet. The AP sees this packet and sends back a probe response, thus kicking off the connection routine. However, since the SSID value is sent as plain text, anyone with a sniffer can see it. They can use this information and configure an AP with the requested SSID, which will then detect the requested SSID and respond as expected. Programs like Karma automate this process and can quickly establish a connection with a wireless user, thus taking over their web connection, email, and more.
This function can be turned off by disabling it in the Services list of Windows XP. Other operating systems can be controlled by manually setting up the connection each and every time the wireless card is enabled.
4. Bluetooth exploits
BlueSnarfing: OBEX protocol exploit that allows hackers to secretly access the mobile phone’s calander, pictures, phone contact list, etc. without the owner knowing.
BlueBugging: Allows hackers to send SMS messages from a remote vulnerable phone spoofing the sender. This is not the same as BlueSnarfing, and it effects only some phones.
BlueJacking: By renaming the name of the phone, the hacker can trick victims into accepting bluetooth connections. Normally, the name of the phone will be what make and model the device is. If the hacker changes it to “click here for free cash” the victim will often mistakenly click the pop up, thus allowing the hacker to connect to the device. BluJacking can be used by hackers to infect phones, to show obscene movies, etc.
BlueTooth DoS attacks: As with most things, bluetooth is also vulnerable to certain types of denial of service attacks. Hackers can send invalid Bluetooth requests to a mobile device or phone and this will take up the whole channel. This hinders legitimate devices from making contact via Bluetooth with the attacked device.
5. WEP Weaknesses
WEP encryption is still one of the most common security implementations, and passwords can easily be cracked using Airsnort. It takes less then an hour to crack a busy access point’s password; the more packets captured, the faster it is to crack.
Handheld Mobile Devices (Smartphones and PDAs)
6. Clear Text Encryption Passwords
Mobile devices are portable. They get lost, stolen, and can quickly and easily be accessed when left lying around. Unfortunately, there are many third-party “encryption” programs that do not properly secure sensitive information such as username/password info, financials, etc. We have found that some of the most popular mobile encryption programs even store the password in plain text in the registry.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.